Chapter 17: Issues subject to national law – Unlocking the EU General Data Protection Regulation

Overview

Why does this topic matter to organisations?

Although a key aim of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR leaves it to Member States to adopt their own national rules (e.g., because Member States have constitutional rules in these areas, or because these issues fall outside the EU's legislative competence). Consequently, although the GDPR implements a more consistent set of data protection compliance requirements across the EU, there are still areas in which organisations will face inconsistent regulatory requirements from one Member State to the next.

What types of organisations are most affected?

All organisations that operate in more than one Member State will be affected by the lack of harmonisation in these areas, and should be mindful of possible differences in national legislation from one Member State to the next.

What should organisations do to prepare?

Organisations operating in more than one Member State should:

consider which Member States' laws may apply to the organisation's operations (see Chapter 4); and

ensure that the organisation is familiar with its obligations under the applicable national laws that fall outside the scope of the GDPR.

Detailed analysis

Issue

The Directive

The GDPR

Impact

The EU does not have the power to legislate on all areas of law. To the extent that EU law does not apply in a particular area, that area is exempt from the provisions of EU data protection law.

Rec.13; Art.3(2)

Any data processing activities that fall outside the scope of EU law are not subject to the Directive.

Rec.16; Art.2(2)(a)

Any data processing activities that fall outside the scope of EU law are not subject to the GDPR.

The GDPR essentially repeats the position set out in the Directive.

Processing of personal data and freedom of expression and information

Member States remain responsible for determining the limits of free expression under their respective national laws. This may mean that data can be processed for the purposes of free expression in some Member States but not others.

Art.9

Member States must provide for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

Rec.4, 65, 153; Art.17(3), 85

Member states must reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information, including the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression.

The GDPR essentially preserves the position as it stands under the Directive. In both cases, Member States remain responsible for determining the balance between the right to privacy and the right to freedom of expression.

Personal data contained in official documents

Member States are responsible for striking a balance between the right to privacy and the need to process personal data where such processing is in the public interest.

Rec.45; Art.7(e)

The Directive permits Member States to pass laws regarding the processing of personal data for public interest purposes carried out by official authorities, but it does not expressly deal with personal data contained in official documents.

Art.86

Personal data contained in official documents may be processed, in order to reconcile public access to official documents with the right to the protection of personal data.

This provision is limited in its scope, and is unlikely to materially affect organisations that do not regularly process personal data contained in official documents.

Processing national ID numbers

Member States are free to set their own rules regarding the processing of national ID numbers.

Art.8(7)

Member States are free to determine the conditions under which a national ID numbers may be processed.

Art.87

Member States are free to determine the conditions under which national ID numbers may be processed, subject to appropriate safeguards for the rights and freedoms of data subjects pursuant to the GDPR.

The GDPR essentially repeats the relevant provision from the Directive, only adding an obligation to implement appropriate safeguards for the rights and freedoms of data subjects.

Processing in the employment context

In most respects, the employment laws of Member States are outside the legislative competence of the EU. Therefore, EU data protection law recognises that each Member State must find its own balance between the right to privacy and the requirements of national employment law.

Art.8(2)(b)

Processing is permitted where it is necessary for the purposes of giving effect to the rights or obligations of the controller under national employment law, subject to adequate safeguards.

Rec. 52, 127, 155; Art.9(2)(b), 88

Member States may create new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law. These must include appropriate safeguards. Member States must inform the Commission of any laws adopted in this area.

Like the Directive, the GDPR leaves room for Member States to create laws governing the relationship between the GDPR and national employment law. Organisations will need to exercise additional caution in Member States that apply additional protections to the privacy rights of employees.

EU data protection law recognises the fact that there are certain purposes for which personal data may be processed in the public interest, outside of the GDPR's standard requirements.

Rec.29, 40; Art.6(1)(a), (e), 11(2), 13(2)

Subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject, Member States may restrict the data subject's right of access to their personal data when it comes to a processing of personal data for scientific, historical or statistical purposes.

Rec. 156; Art.89(1), (2)

Subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject, Member States may restrict the data subject's rights to access, rectification, restriction of processing and to object when it comes to the processing of their personal data for scientific, historical or statistical purposes.

The provisions of the GDPR are essentially similar to those of the Directive. However, it remains to be seen whether Member States will amend any safeguards which they have already put in place under the Directive.

Obligations of professional secrecy

Some Member States impose specific obligations of professional secrecy onto organisations in certain sectors (e.g., law firms or banks).

N/A

The Directive discusses professional secrecy in the context of health data (see Rec.33 and Art.8(3)) but does not grant Member States specific powers in respect of professional secrecy obligations.

Rec.50, 53, 75, 85, 164; Art.9(2)(i), (3), 14(5)(d), 54(2), 90

Member States may create their own rules in relation to controllers or processors that are subject to obligations of professional secrecy. Member States that adopt such rules must inform the Commission.

In those jurisdictions that have professional secrecy laws, the relationship between those laws and the Directive has always been governed by national law. The GDPR does not change this approach.

Processing personal data in the context of churches and religious establishments

In a number of Member States, membership of a church or other religious establishment can have legal consequences for individuals (e.g., in some Member States, it affects the taxes payable by those individuals).

Rec.35; Art.8(2)(d)

Processing is permitted when carried out in the course of the legitimate activities of a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union purpose, and on the condition that the processing relates solely to:

the members of the body; or

persons who have regular contact with it in connection with its purposes and that the data are not disclosed to third parties without the consent of the data subjects.

Rec.55, 165; Art.91

Where, in a Member State, churches and religious associations or communities impose rules regarding the processing of personal data, such rules may continue to apply, provided that they are brought into line with the provisions of the GDPR. Churches and religious associations that impose such rules are subject to the oversight of the relevant DPA.

The amended wording of these provisions is unlikely to be of practical significance for the vast majority of organisations.

Further analysis

Commentary: The GDPR does not bring complete harmonisation

Despite the fact that a key aim of the GDPR is to harmonise EU data protection law across all Member States (see, in particular, Chapter 15), the GDPR leaves scope for divergences between Member States in a number of areas. This is, to an extent, the inevitable consequence of the existing limits on the EU's power to legislate over the internal affairs of Member States. Organisations are advised to keep abreast of guidance on these topics that is likely to be produced by the EDPB and affected DPAs, as the GDPR is rolled out.

Commentary: Relationship between EU data protection law and freedom of expression

The balance between data protection and freedom of expression is a fine one. If the balance is too far in favour of the former, it is all too easy to imagine scenarios in which public figures use data protection law to suppress negative stories about themselves. If the balance is too far in favour of the latter, it is foreseeable that journalists might run roughshod over the rights of individuals, in the interests of publishing a story. The Directive and the GDPR both leave it to each Member State to determine the right balance in the national context. Organisations that are involved in the media should carefully consider the fact that the rules in this area will differ from one Member State to the next. Note that in December 2009, with the entry into force of the Lisbon Treaty, the CFR became legally binding. As a result, case law of the CJEU on these matters will play a significant role in determining this balance.

Commentary: Relationship between EU data protection law and national employment law

Both the Directive and the GDPR address the fact that employment law varies from one Member State to the next, and that the rules regarding the relationship between EU data protection law and employment law need to be determined at the national level by each Member State. In practice, this means that many organisations will find that they face different requirements, with respect to the processing of personal data of employees, from one Member State to the next.